doing your part to stop Denial of Service

Virtually every organization that operates a network connected to the Internet has the ability to serve as an unwitting participant in DoS (denial of Service) attacks.  There are simple steps that can be taken to ensure that you are a good net citizen in fact just two will help a great deal.

• Implement Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network
• Stop Your Network from Being Used as a Broadcast Amplification Site

Imagine if every datacenter, broadband and Network provider implemented the broad application of these two steps:  The end result would be a significant reduction to the threat posed by DoS Attacks.

Ok – so now your convinced — but how do I implement this?  - well I am glad you asked.

I.   Implement Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network

1. Stop Spoofed IP Packets @ the Edge:   The purpose to implement Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network is so that you can prevent forged communications leaving your network.  These are often used in DoS attacks.  This is a simple process – just ensure that your routers and firewalls are configured to only forward packets if those packets have the correct Source IP address local to your network. These of course would be IP’s that are in your BGP and or ARIN (or ISP) assigned network.  While it is important to do this throughout your network, the network edge connection(s) are essential to have this protection, if you are going to be a good net-citizen.
2. : Deny Invalid Source IP Addresses:   Imagine if all organizations only allowed the traffic leaving their network if it had a valid Source IP address that belonged to that network.   While this is not a full-proof way of stopping DoS – it would make finding the organization responsible much easier.   This is a simple process – just permit all valid IP addresses access to the Internet via your firewall, gateway and routers – and Deny all other source addresses including private and Reserved Source IP Addresses.  Keep in mind if your using NAT you want to do this on your NAT device as well.

• • 0.0.0.0/8 – Historical Broadcast
  • 10.0.0.0/8 – RFC 1918 Private Network
  • 127.0.0.0/8 – Loopback
  • 169.254.0.0/16 – Link Local Networks
  • 172.16.0.0/12 – RFC 1918 Private Network
  • 192.0.2.0/24 – TEST-NET
  • 192.168.0.0/16 – RFC 1918 Private Network
  • 224.0.0.0/4 – Class D Multicast
  • 240.0.0.0/5 – Class E Reserved
  • 248.0.0.0/5 – Unallocated
  • 255.255.255.255/32 – Broadcast

II.  Stop Your Network from Being Used as a Broadcast Amplification Site

1. Configuring all of your systems – (from your routers, servers, workstations, etc…) so that they do not receive or forward directed broadcast traffic will assist in making sure your network is not used as a broadcast application site.   Craig Huegen has a number of papers written on this topic you may find them here.
2. Test your network to determine if it is an amplification site.  This is as easy as using the “ping” command to send an ICMP echo request packet to the Network Base IP address of your network(s) as well as the broadcast IP address of your network(s).  I suggest that you do this not only from your own network but from an independent 3rd party such as www.DNSStuff.com – Note the basic DNS Stuff is free.
3. The HostMedic agency refuses to purchase hardware from any vendor that does not disable IP Directed Broadcast by Default as outlined in RFC 2644.   In fact – we suggest using PFSense @ the Edge of your network if you are unsure of how to complete all of these tasks.   PFSense is FREE and offers low cost support as well as FREE Community based support.